Some of you may be aware of the recently announced Portsmash vulnerability:
https://www.openwall.com/lists/oss-secu ... 18/11/01/4
The problem is caused by the design of the cpu, specifically the so-called hyperthreads (symmetric multi-threading technology, or SMT for short) are not subject to the same sort of security checks that are carried out in the physical cores.
OpenBSD 6.4 has disabled SMT by default because of this (the devs predicted the vulnerability) and the advice for Linux is now to disable SMT via the firmware ("BIOS") settings, if possible.
Unfortunately, my machine has no such option so I have to use systemd unit file instead

To write the unit we first need to determine which cpu(s) to turn off, so run this command:
- Code: Select all
empty@buster:~ $ lscpu --extended
CPU NODE SOCKET CORE L1d:L1i:L2:L3 ONLINE MAXMHZ MINMHZ
0 0 0 0 0:0:0:0 yes 2400.0000 1199.0000
1 0 0 0 0:0:0:0 yes 2400.0000 1199.0000
2 0 0 1 1:1:1:0 yes 2400.0000 1199.0000
3 0 0 1 1:1:1:0 yes 2400.0000 1199.0000
empty@buster:~ $
^ The CORE column shows which physical cpu is hosting which virtual cpu and in my case cpu1 & cpu3 are hyperthreads and need to be disabled.
To disable them, use this script (saved to /usr/local/bin/nosmt):
- Code: Select all
#!/bin/sh
for n in 1 3
do echo 0 > /sys/devices/system/cpu/cpu${n}/online
done
^ Change the `for n in 1 3` line according to the hardware in use.
And a matching onsmt script (to re-enable SMT when the .service is stopped):
- Code: Select all
#!/bin/sh
for n in 1 3
do echo 1 > /sys/devices/system/cpu/cpu${n}/online
done
Save both of those files and make them executable:
- Code: Select all
chmod +x /usr/local/bin/{no,on}smt
And this is the systemd custom unit file:
- Code: Select all
# /etc/systemd/system/nosmt.service
[Unit]
Description=Disable SMT
[Service]
RemainAfterExit=yes
ExecStart=/usr/local/bin/nosmt
ExecStop=/usr/local/bin/onsmt
[Install]
WantedBy=multi-user.target
Once the unit file is saved, enable and start the .service with:
- Code: Select all
systemctl enable --now nosmt
Check that the hyperthreads have been disabled with `lscpu --extended` and check the .service with `systemctl status nosmt` (it should be reported as "active").
SMT can be enabled again by stopping the .service:
- Code: Select all
systemctl stop nosmt
If there are any problems, check the journal:
- Code: Select all
journalctl -u nosmt
Alternative methods for different init systems are listed here: viewtopic.php?p=684521#p684521